[HOTFIX] Android script loading, frida injected code view, paramiko S…

…SH issues (#2300)

* Android script loading bug fix
* Frida injected code view
* Paramiko SSH reactor to address some host key issues, revert from warning to autoadd.
* Frida Injection refactoring

mobsf/DynamicAnalyzer/tools/frida_scripts/android/auxiliary/string_compare.js

@@ -12,4 +12,4 @@ Java.perform(function () {
         }
         return response;
     }
-});
+});

mobsf/DynamicAnalyzer/tools/frida_scripts/ios/default/jailbreak_bypass.js

@@ -134,10 +134,84 @@ function bypassJailbreakDetection(){
     }
 }
 
-try {
-    if (ObjC.available) {
-        bypassJailbreakDetection();
-    } else {
-        send('[Jailbreak Detection Bypass] error: Objective-C Runtime is not available!');
+
+function bypassJailbreakDetection2() {
+    try {
+
+            var resolver = new ApiResolver('objc');
+
+            resolver.enumerateMatches('*[* *jail**]', {
+                onMatch: function(match) {
+                    var ptr = match["address"];
+                    Interceptor.attach(ptr, {
+                        onEnter: function() {},
+                        onLeave: function(retval) {
+                            retval.replace(0x0);
+                        }
+                    });
+                },
+                onComplete: function() {}
+            });
+
+            resolver.enumerateMatches('*[* fileExistsAtPath*]', {
+                onMatch: function(match) {
+                    var ptr = match["address"];
+                    Interceptor.attach(ptr, {
+                        onEnter: function(args) {
+                            var path = ObjC.Object(args[2]).toString();
+                            this.jailbreakCall = false;
+                            for (var i = 0; i < paths.length; i++) {
+                                if (paths[i] == path) {
+                                    this.jailbreakCall = true;
+                                }
+                            }
+                        },
+                        onLeave: function(retval) {
+                            if (this.jailbreakCall) {
+                                retval.replace(0x0);
+                            }
+                        }
+                    });
+                },
+                onComplete: function() {}
+            });
+
+            resolver.enumerateMatches('*[* canOpenURL*]', {
+                onMatch: function(match) {
+                    var ptr = match["address"];
+                    Interceptor.attach(ptr, {
+                        onEnter: function(args) {
+                            var url = ObjC.Object(args[2]).toString();
+                            this.jailbreakCall = false;
+                            if (url.indexOf("cydia") >= 0) {
+                                this.jailbreakCall = true;
+                            }
+                        },
+                        onLeave: function(retval) {
+                            if (this.jailbreakCall) {
+                                retval.replace(0x0);
+                            }
+                        }
+                    });
+                },
+                onComplete: function() {}
+            });
+            send("[Jailbreak Detection Bypass 2] success");
+        }
+        catch(e) {
+            send('[Jailbreak Detection Bypass 2] script error:' + e.toString());
+        }
     }
-} catch(err) {}
+
+    try {
+        if (ObjC.available) {
+            bypassJailbreakDetection();
+            // Disable the below if the app is crashing
+            setTimeout(() => {
+                bypassJailbreakDetection2();
+            }, "1000");
+        } else {
+            send('[Jailbreak Detection Bypass] error: Objective-C Runtime is not available!');
+        }
+    } catch(err) {}
+

mobsf/DynamicAnalyzer/tools/frida_scripts/ios/dump/data-dir.js

@@ -59,7 +59,9 @@ function getDataProtectionKeysForAllPaths() {
 
 send('Dumping Application Directory file information');
 try {
-    send(JSON.stringify({'[MBSFDUMP] datadir': getDataProtectionKeysForAllPaths()}));
+    setTimeout(() => {
+        send(JSON.stringify({'[MBSFDUMP] datadir': getDataProtectionKeysForAllPaths()}));
+    }, "2000");
 } catch(err) {}
 
 // /********************************************************************************

mobsf/DynamicAnalyzer/tools/frida_scripts/ios/dump/nsuserdefaults.js

@@ -28,5 +28,8 @@ function ns_userdefaults() {
 }
 
 try{
-    ns_userdefaults();
+    setTimeout(() => {
+        ns_userdefaults();
+    }, "2000");
+
 } catch(err) {}

mobsf/DynamicAnalyzer/tools/frida_scripts/ios/others/helper-backtrace.js

@@ -0,0 +1,16 @@
+// Get caller of the function using backtrace
+
+// From: https://node-security.com/posts/frida-for-ios/
+function getBacktrace(){
+	send('Get the caller of the function using backtrace');
+	Interceptor.attach(ObjC.classes.NSFileManager['- fileExistsAtPath:'].implementation, {
+		onEnter: function (args) {
+			const backtrace = Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join("\n");
+			console.log(backtrace + "\n");
+			console.log(ObjC.Object(args[2]).toString());
+		}
+	});
+}
+try {
+	getBacktrace();
+} catch(err) {}

mobsf/DynamicAnalyzer/views/android/frida_core.py

@@ -147,6 +147,7 @@ def spawn(self):
         except frida.TimedOutError:
             logger.error('Timed out while waiting for device to appear')
         except (frida.ProcessNotFoundError,
+                frida.ProcessNotRespondingError,
                 frida.TransportError,
                 frida.InvalidOperationError):
             pass
@@ -184,6 +185,7 @@ def session(self, pid, package):
         except frida.NotSupportedError:
             logger.exception('Not Supported Error')
         except (frida.ProcessNotFoundError,
+                frida.ProcessNotRespondingError,
                 frida.TransportError,
                 frida.InvalidOperationError):
             pass

mobsf/DynamicAnalyzer/views/android/frida_scripts.py

@@ -7,7 +7,7 @@
 
 def get_content(file_name):
     tools_dir = Path(settings.TOOLS_DIR)
-    aux_dir = tools_dir / 'frida_scripts' / 'ios' / 'auxiliary'
+    aux_dir = tools_dir / 'frida_scripts' / 'android' / 'auxiliary'
     script = aux_dir / file_name
 
     if script.exists():

mobsf/DynamicAnalyzer/views/android/tests_frida.py

@@ -102,6 +102,9 @@ def instrument(request, api=False):
         elif action == 'ps':
             logger.info('Enumerating running applications')
             data['message'] = frida_obj.ps()
+        elif action == 'get':
+            # Get injected Frida script.
+            data['message'] = frida_obj.get_script()
         if action in ('spawn', 'session'):
             if pid and pid.isdigit():
                 # Attach to a different pid/bundle id

mobsf/DynamicAnalyzer/views/ios/corellium_apis.py

@@ -344,6 +344,10 @@ def device_input(self, event, x, y, max_x, max_y):
             # Should not be greater than max screen size
             swipe_x = min(int(x) + 200, int(max_x))
             swipe_y = min(int(y) + 400, int(max_y))
+            # Just to prevent linter complaining
+            # Make use of these variables in future
+            swipe_x = swipe_y
+            swipe_y = swipe_x
             if event == 'home':
                 data = [{
                     'buttons': ['holdButton'],
@@ -374,8 +378,9 @@ def device_input(self, event, x, y, max_x, max_y):
             elif event == 'swipe_down':
                 data = [{
                     'startButtons': ['finger'],
-                    'start': [[x, swipe_y]],
-                    'end': [[swipe_x, y]],
+                    'start': [[300, 600]],
+                    'bezierPoints': [[[700, 350]], [[850, 375]]],
+                    'end': [[950, 400]],
                     'duration': 200,
                 }]
             elif event == 'swipe_left':

mobsf/DynamicAnalyzer/views/ios/corellium_instance.py

@@ -358,7 +358,7 @@ def appsync_ipa_install(ssh_string):
     out = ssh_execute_cmd(target, 'appinst /tmp/app.ipa')
     target.close()
     jumpbox.close()
-    if 'Failed' in out:
+    if 'Successfully installed' not in out:
         logger.error('AppSync IPA Install Failed.\n%s', out)
         return out
     logger.info(out)

mobsf/DynamicAnalyzer/views/ios/corellium_ssh.py

@@ -212,8 +212,7 @@ def ssh_jump_host(ssh_string):
     generate_keypair_if_not_exists(home)
     keyf = home / 'ssh_key.private'
     jumpbox = paramiko.SSHClient()
-    jumpbox.load_system_host_keys()
-    jumpbox.set_missing_host_key_policy(paramiko.WarningPolicy())
+    jumpbox.set_missing_host_key_policy(paramiko.AutoAddPolicy())
     jumpbox.connect(
         bastion_host,
         username=bastion_user,
@@ -226,8 +225,7 @@ def ssh_jump_host(ssh_string):
         'direct-tcpip', dest_addr, src_addr)
 
     target = paramiko.SSHClient()
-    target.load_system_host_keys()
-    target.set_missing_host_key_policy(paramiko.WarningPolicy())
+    target.set_missing_host_key_policy(paramiko.AutoAddPolicy())
     target.connect(
         private_ip,
         username=user,